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1 . (currently amended) A method of securing packet data transferred between a first and second 
member of a private network over a backbone, the backbone operating according to a routing 
protocol, the method comprising the steps of: 

receiving a packet from any one of a plurality of members of a private network, the 
packet being sent from only one member to only one other member of the private network, t he 
packet including a private network address comprising a source address and a destination 
address, the packet further including a payload; and 

in response to determining that [[if]] the packet must be transmitted over the backbone in 
order to reach the destination address: 

apportioning the packet into a first portion and a second portion, wherein the first 
portion includes fields of the packet used for transmission of the packet according to the protocol 
of the backbone including the private network address and the second portion includes the 
payload; 

appending a gateway source address associated with the source address of the 
packet to the second portion to generate a group header and transforming the second portion of 
the packet according to a group security association associated with a plurality of members of the 
private network to provide a transformed portion which includes a transformed group header 
where at least one member of the private network with which the group security association is 
associated is neither sender nor recipient of the packet ; 

appending the first portion of the packet to the transformed portion to provide a 
transformed packet; and 

transmitting the transformed packet to the backbone using the private network address. 

2. (cancelled) 



3. (cancelled) 
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4. (currently amended) The method of claim 1 wherein the step of transforming is performed at 
[[the]] a first member of the private network. 

5. (cancelled) 

6. (previously presented) The method according to claim 1, wherein the first portion of the 
packet comprises a first header having a type the group header comprises a group type and 
wherein the step of generating a group header includes the step of copying the type of the first 
header to the group type. 

7. (original) The method according to step 6, wherein the first header further includes a length, 
the group header further includes a group length, and wherein the method includes the steps of 
copying the length to the group length. 

8. (original) The method according to claim 1 wherein the group security association is an 
Internet Protocol Security transform. 

9. (original) The method according to claim 8, wherein the group security association is an 
Encapsulated Security Protocol. 

10. (original) The method according to claim 1, wherein the group security association is an 
Internet Key Encryption. 

1 1 . (original) The method according to claim 1 , further comprising the step of receiving, at 
each member of the private network, a key corresponding to the private network group 
security association. 

12. (currently amended) A method for securing a communication link between [[at least]] two 
members of a private network, the communication link for transporting a packet having a first 
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header and a payload, the first header comprising a private network address identifying a source 
address and a destination address packet, the method including the steps of: 

distributing a group security association to each of the at least [[two]] three members of 
the private network; 

transforming each packet transferred between only two of the at least three members of 
the private network in response to determining that [[if]] the packet must be transmitted over a 
backbone, the step of transforming including the steps of: 

generating a second header, the second header including a gateway source address 
associated with the source address in the first header, and a destination address identifying the 
private network; 

replacing the first header of the packet with the generated second header to 
provide a modified packet; 

applying the group security association to the modified packet to provide a secure 
packet including applying the security association to the gateway source address; and 

appending the first header to the secure packet to provide a transformed packet; 

and 

forwarding the transformed packet over the communication link using the private network 
addresSi 

whereby at least one member of the private network with which the group security 
association is associated is neither sender nor recipient of the packet . 

13. (cancelled) 

14. (cancelled) 

15. (original) The method of claim 12, wherein the step of transforming is performed at a 
gateway device disposed between one of the at least two members of the virtual private network 
and the communication link. 
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16. (withdrawn) A method of receiving a packet transmitted between a first and second member 
of a private network over a backbone operating according to a protocol comprising the steps of: 

receiving a packet from the first member of the private network for the second member of 
the private network, the packet including an address of the private network; 

determining, responsive to the address, whether the packet received over the backbone is 
a secure packet; 

responsive to a determination that the packet is a secure packet, stripping a first header 
from the packet to provide a remainder packet, the remainder packet comprising a group header 
and an encapsulated payload, and applying a group security association associated with the 
private network to the remainder packet, the remainder packet comprising an updated group 
header including fields associated with the protocol of the backbone. 

17. (withdrawn) The method according to claim 16, wherein the backbone comprises a plurality 
of provider devices, and wherein the steps of receiving, determining and stripping occur at one of 
the provider edge devices. 

18. (withdrawn) The method according to claim 16, wherein an edge device is disposed between 
the backbone and the second member of the private network, and wherein the steps of 

receiving, determining and stripping occur at the edge device. 

19. (withdrawn) The method according to claim 16, wherein the step of determining further 
comprises the step of analyzing bits of the packet that identify a type of the packet. 

20. (withdrawn) The method according to claim 16, wherein the first header and the group header 
each include a type field, and wherein the step of determining determines whether the type field 
of the first header and the type field of the second header correspond to predetermined values. 

21. (withdrawn) The method according to claim 16, further comprising the step of copying a type 
field from the updated group header into a type field of the first header, stripping the updated 
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group header from the payload, and appending the first header to the payload to provide a 
restored packet for forwarding. 

22. (withdrawn) The method-according to claim 16 further comprising the step of determining 
whether the group security association can be processed at the receiver. 

23. (currently amended) An apparatus at a node for transforming packets for forwarding between 
only two members of a plurality of members of a group that includes more than two members 
communicating on a scalable private network over a backbone, each of the plurality of group 
members communicating with the backbone via respective gateways, wherein the backbone 
operates according to a protocol, the apparatus comprising: 

physical memory circuitry including a key tabic, the key table including a security 
association for each group for which the node is a member; 

a microprocessor that executes transform logic comprising means for modifying packets 
received from only one [[a]] source member of the group for transfer to only one destination 
member of the group on a private network over the backbone by: 

extracting a private network address header from a received packet, the private 
network address header including a source and destination address; 

appending, to the received packet, a group header including a group identifier 
associated with the private network and a gateway address associated with a source member; 

the received packet including the group header to provide a modified packet 
appending the private network address header to the modified packet to provide a 
transformed packet, where only information in the transformed packet that enables 
communication over the backbone is unsecured; and 

forwarding logic for forwarding communication between members of the group using a 
private network address associated with the groupi 

whereby at least one member of the private network with which the group security 
association is associated is neither sender nor recipient of the packet . 

24. (cancelled) 



Serial No. 10/661657 



-7- 



Art Unit: 2131 



25. (cancelled) 

26. (original) The apparatus of claim 23, wherein the node is one of the plurality of members of 
the scalable private network. 

27. (withdrawn) An apparatus at a node for restoring transformed packets forwarded between a 
plurality of members of a scalable private network over a backbone, wherein the backbone 
operates according to a protocol, the apparatus comprising: 

a control path including: 

means for determining whether the packet is a transformed packet; 

a key table, the key table including a security association for each private network that 
the node is a member; 

restore logic operable to apply a security association to only a portion oT each 
transformed packet, responsive to the means for determining indicating that the packet is a 
transformed packet. 

28. (withdrawn) The apparatus of claim 27 further comprising a forwarding path, wherein 
packets are always forwarded first to the control path to determine whether the packet is a 
transformed packet. 

29. (withdrawn) The apparatus of claim 27 wherein the backbone comprises a plurality of 
provider devices, and wherein the node is one of the plurality of provider devices in the 
backbone. 

30. (withdrawn) The apparatus of claim 27 wherein the node is an edge device disposed between 
the 

backbone and a receiving member of the scalable private network. 



